Strong Password Protocols CS 465 Strong Password Protocols Last Updated: Oct 27, 2016

Motivation Users continue to use the familiar password login method Password is no longer sent in the clear Advanced approaches – the server doesn’t store the password or password equivalent data Eavesdroppers and impersonators obtain no information for an online attack

Lamport’s Hash

Lamport’s Hash Simple beginning: one time password scheme using iterated hashes see http://lodestone.org/people/hoss/ops/node5.html Trusted BOB knows  n, hashn(password)  Compares hash(x) to hashn (password); If equal, replaces  hashn (password)  With  n-1, x  Alice Alice, pwd Alice’s Workstation Bob Alice n x = hashn-1 (pwd)

Attack on Lamport’s Hash Small n attack Active attacker intercepts servers reply message with n and changes it to a smaller value Attacker can easily manipulate the response (repeatedly) to impersonate Alice Eavesdropper captures Alice’s hashed reply and conducts off-line attack Replay Alice’s response to other servers where Alice may use the same password Thwart using salt at the server – server hashes pw || salt and sends n and the salt to Alice during login Salt also permits automatic password refresh when n reaches 1

Encrypted Key Exchange (EKE)

Encrypted Key Exchange (EKE) Both parties know W Can an off-line attack be done? “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}

Augmented EKE EKE vulnerable to database disclosure since Bob stores W in the clear Defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it Bob stores: gW mod p Alice Bob “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) H’(gab mod p, gbW mod p) what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice

Strong Remote Password (SRP)

SRP Setup Carol picks password P and salt s Carol computes the following: Steve stores v and s as Carol’s password verifier and salt See authentication steps on next slide

SRP Benefits An attacker with neither the user's password nor the host's password file cannot mount a dictionary attack on the password. Mutual authentication is achieved in this scenario. An attacker who captures the host's password file cannot directly compromise user-to-host authentication and gain access to the host without an expensive dictionary search. An attacker who compromises the host does not obtain the the password from a legitimate authentication attempt. An attacker who captures the session key cannot use it to mount a dictionary attack on the password. An attacker who captures the user's password cannot use it to compromise the session keys of past sessions.

Summary Observe how DH idea has been extended to strong password protocols Patents have slowed the adoption of these ideas, but they are starting to expire. We may see a resurgence soon. SRP can run without an SSL connection. There is a proposed TLS-SRP extension to do an SRP mutual authentication handshake. Potential to deter phishing attacks.